On Thu, May 6, 2010 at 5:30 PM, Tim Evans <[email protected]> wrote: > It sounds like a good enough > implementation if you implement reasonable password measures - long enough > length, complexity, etc.
My understanding is that the initial password exchange, while protected against trivial cleartext sniffing, is still vulnerable to an offline attack. That is to say, if someone can sniff your connection, they can sniff the password exchange packets, and set their computer to dictionary/brute forcing. Many possible passwords will be broken in minutes or hours, and most in hours or weeks. People do *not* use 32 character passwords consisting of pure random entropy. If you're lucky, you can generally expect people to use an English word with one uppercase character and one digit. Maybe a really strong passphrase will have a handful of English words. Or someone will use the same password everywhere, and Facebook gets hacked and now *your* network is vulnerable too. And all you need is one account with a password of "Passw0rd!" or whatever, and any script kiddie can get in. I simply no longer regard passwords as an acceptable sole authenticator for remote access. Not when they're talking about 128-bit (16 byte) random keys being insufficient against attacks, and widespread mass compromise of computers is commonplace. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
